Posted by Awinish on April 9, 2011
I have seen people through various forums/blogs getting confused : how to configure DNS server in child domain for Parent’s domain name resolutions? The confusion is, should it point to itself for DNS server address or parent DNS server for name resolution of parent & child domain both? In order to make the life easier & remove the confusion, i thought of coming up with the article on my blog.
Firstly, understand that DNS is the backbone of AD & most of the issues we face in our environment is because of the improper configuration of DNS server. In few posts, i saw people using Public IP as the DNS address or ISP’s DNS address directly configured into their servers/domain systems NIC for preferred DNS server address, which is absolutely wrong & the reason is, when DNS lookup is performed against the local resource records in the domain, first it queries local host file in your system located in inside “etc” folder, if it can’t locate anything configured there, it looks for preferred DNS server IP in NIC. If NIC’s preferred DNS address is configured with public IP or ISP’s IP, it will forward the query directly to that public IP for local domain name resolution & the query will be performed, before it is says request timed-out. The reason is that, your local domain & its records exists in your local DNS server. How a DNS server hosted outside your domain can even come to know existent of any such private domain without any record in its DNS server? From security perspective, its a big passage for attacker to penetrate your infrastructure & attack your network for access.
Public DNS server’s IP has to be configured into Forwarder Tab of your local DNS server. If you have multiple DNS server running in your domain, configure all of the local DNS server forwarder to have this Public DNS IP address, but make sure you obtain this public DNS server address from your ISP & you are not using anything like 126.96.36.199 or 188.8.131.52/184.108.40.206, since these are not the authoritative DNS server for your domain through which query has to pass for name resolution. The query for external domain name resolution has to pass through your ISP’s DNS server. Using 220.127.116.11 or any other public IP directly in your DC/servers as a preferred DNS or alternate DNS server is going to pose a security threat for the environment.
Question: How do I set up DNS for a child domain?
Answer: To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.
Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment.
Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.
How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
Note: Ignore the version of OS, its applicable for all the windows OS as concept for DNS has not been changed.
Posted in Directory Services, DNS/DHCP, Exchange | Tagged: Active Directory, DNS/DHCP | 6 Comments »
Posted by Awinish on March 8, 2011
Many forum/post, often i see a question, how to configure DNS in my domain controller, is primary point to itself or secondary DNS server, is it OK to configure loopback IP & what are the best practices etc.
I would not cover everything, leave for the below link to answer for you. Few things, i would like to mention
- NEVER use public IP configured directly in the NIC either of the DC or clients.
- Public IP(ISP DNS) used for external domain name resolution,should always be configured in Forwarder of DNS servers.
NedPyle from Microsoft has got recommended & best practices for DNS. So next time you aare confused or looking for best practices follow the below link.
Posted in Directory Services, DNS/DHCP, Exchange | Tagged: DNS/DHCP | 3 Comments »
Posted by Awinish on February 8, 2011
Scavenging is the important process for removal of stale records from DNS to keep it healthy & fit. Lot of people have doubts, whether it has to be enabled or not & find themselves in confused situation what is exactly scavenging & how it works.
I have seen a question, if i create a static records(created a record manually) will the static record is also be eligible for scavenging, the answer is no. The reason is when you create a static record the box in front to Delete this record when it becomes stale is unchecked(shown in figure), which is not the case with automatic record creation process.
When any machine is disjoint from domain, its record is not been deleted instantly, but the dnsTombstoned attribute is changed to TRUE & it is deleted from the DNS server in-memory cache. The scavenging process starts at 2AM everyday & compares the dnsTombstoned value is set for deletion or not.
DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones
Don’t be afraid of DNS Scavenging. Just be patient
It Takes Two–DNS scavenging
How to enable auditing of records creation, modification or deletion in DNS?
The above reason will suffice, the dns records are not deleted immediately, but dnsTombstoned attribute is changed either True or False for later deletion. So, if you plan to join the system into domain which is immediately been removed, you need to delete the records manually along with manually deleting computer object from ADUC to join the system into domain or wait for few hours to be done.Take a look at below link to know more.
I wanted to point out this wonderful article explaining duplicate dns zones, well written by Greg. I was pointed to this article by Mike Kline.
Am I Seeing Double? The case of “Multiple copies of the same DNS zone”
Posted in DNS/DHCP | Tagged: Aging/Scavenging, DNS Audit, DNS/DHCP | Leave a Comment »